mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-29 22:35:50 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: Add guest file uploads and add deletion for note owners

Browse source 
Signed-off-by: Yannick Bungers <git@innay.de>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
This commit is contained in:
Yannick Bungers 2023-03-25 17:47:46 +01:00 committed by Yannick Bungers
parent 0f464dedfe
commit 485f7cd338
8 changed files with 244 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

50
backend/src/api/private/media/media.controller.ts
View file

@ -23,10 +23,12 @@ import { MediaUploadDto } from '../../../media/media-upload.dto';
import { MediaService } from '../../../media/media.service';
import { MulterFile } from '../../../media/multer-file.interface';
import { Note } from '../../../notes/note.entity';
import { NotesService } from '../../../notes/notes.service';
import { Permission } from '../../../permissions/permissions.enum';
import { User } from '../../../users/user.entity';
import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor';
import { OpenApi } from '../../utils/openapi.decorator';
import { Permissions } from '../../utils/permissions.decorator';
import { PermissionsGuard } from '../../utils/permissions.guard';
import { RequestNote } from '../../utils/request-note.decorator';
import { RequestUser } from '../../utils/request-user.decorator';
@ -38,7 +40,6 @@ export class MediaController {
constructor(
private readonly logger: ConsoleLoggerService,
private mediaService: MediaService,
private noteService: NotesService,
) {
this.logger.setContext(MediaController.name);
}
@ -60,8 +61,10 @@ export class MediaController {
name: 'HedgeDoc-Note',
description: 'ID or alias of the parent note',
})
@UseGuards(PermissionsGuard)
@UseInterceptors(FileInterceptor('file'))
@UseInterceptors(NoteHeaderInterceptor)
@Permissions(Permission.WRITE)
@OpenApi(
{
code: 201,
@ -76,15 +79,22 @@ export class MediaController {
async uploadMedia(
@UploadedFile() file: MulterFile | undefined,
@RequestNote() note: Note,
@RequestUser() user: User,
@RequestUser({ guestsAllowed: true }) user: User | null,
): Promise<MediaUploadDto> {
if (file === undefined) {
throw new BadRequestException('Request does not contain a file');
}
this.logger.debug(
`Received filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
'uploadMedia',
);
if (user) {
this.logger.debug(
`Received filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
'uploadMedia',
);
} else {
this.logger.debug(
`Received filename '${file.originalname}' for note '${note.id}' from not logged in user`,
'uploadMedia',
);
}
const upload = await this.mediaService.saveFile(file.buffer, user, note);
return await this.mediaService.toMediaUploadDto(upload);
}
@ -95,21 +105,29 @@ export class MediaController {
@RequestUser() user: User,
@Param('filename') filename: string,
): Promise<void> {
const username = user.username;
this.logger.debug(
`Deleting '${filename}' for user '${username}'`,
'deleteMedia',
);
const mediaUpload = await this.mediaService.findUploadByFilename(filename);
if ((await mediaUpload.user).username !== username) {
const mediaUploadOwner = await mediaUpload.user;
const mediaUploadNote = await mediaUpload.note;
const mediaUploadNoteOwner = await mediaUploadNote?.owner;
if (
mediaUploadOwner?.id === user.id ||
user.id === mediaUploadNoteOwner?.id
) {
this.logger.debug(
`Deleting '${filename}' for user '${user.username}'`,
'deleteMedia',
);
await this.mediaService.deleteFile(mediaUpload);
} else {
this.logger.warn(
`${username} tried to delete '${filename}', but is not the owner`,
`${user.username} tried to delete '${filename}', but is not the owner of upload or connected note`,
'deleteMedia',
);
throw new PermissionError(
`File '${filename}' is not owned by '${username}'`,
`Neither file '${filename}' nor note '${
mediaUploadNote?.id ?? 'unknown'
}'is not owned by '${user.username}'`,
);
}
await this.mediaService.deleteFile(mediaUpload);
}
}